This feature is currently in Beta.
In this article, you’ll learn how to integrate OKTA with an Acreto Ecosystem. The OKTA integration allows your Acreto Ecosystem to utilize the user credentials managed by OKTA to connect to the Ecosystem using Acreto TLS Client.
It uses the LDAPS (LDAP Secure) protocol and the OKTA LDAP Interface which can be deployed on the OKTA account.
This process involves the following steps:
The integration uses the LDAP service account credentials to retrieve the user’s distinguished name (DN) from the LDAP server. Given the user’s DN value, the integration then reconnects with LDAP using the user’s DN and password.
In the diagram below, you can see the communication flow between some Employee (trying to connect to the Ecosystem using Acreto TLS Client), Acreto Ecosystem and Azure AD.
The integration uses a read-only connection that never writes to the OKTA. It only queries for information.
All authentication requests originate from Acreto Ecosystem addresses. Therefore, it’s not possible to implement granular network-based access control on OKTA. See relevant article in OKTA documentation.
We recommend using OKTA Verify Push Verification method for multifactor authentication. If you want to use other methods, see Use multifactor authentication with the LDAP Interface.
To proceed with setting OKTA for Acreto Ecosystems, you need:
You should also be familiar with:
To configure your OKTA account, you need to enable the OKTA LDAP Interface. Please go through the following procedures:
Ensure that created Third-Party Administrator account will not be challenged with OKTA Multifactor Authentication for requests originating from your Ecosystem IP addresses. You also need to whitelist the following addresses on your server section of the Identity Provider creation page in step 2.
Add New Identity Provider
To add a new Identity Provider:
Create Security Policy to allow traffic sent by your users
When you create a new Identity Provider, a new Profile Group is created with a name containing
Identity Provider name, for example: Identity Provider LDAP001 (fa45)
.
By default, all users authenticated with this Identity Provider are assigned to that
Profile Group.
To allow traffic from your users using that Identity Provider, select this Profile Group in the Source field of Security Policy. For detailed instructions on creating a Security Policy, see Create first security policy.
Commit your changes
To test the integration:
To get more information about end-user onboarding experience, see onboarding documentation
Thanks to Acreto and OKTA Identity Provider Integration, users can connect to an Acreto Ecosystem with the same credentials utilized for other internal resources on their network domain.